LoFP / false positives will not be present as it is meant to assist with identifying default certificates being utilized.

Techniques

• T1040

Sample rules

Splunk Identified SSL TLS Certificates

• source: splunk
• technicques:
  • T1040

Description

The following analytic uses tags of SSL, TLS and certificate to identify the usage of the Splunk default certificates being utilized in the environment. Recommended guidance is to utilize valid TLS certificates which documentation may be found in Splunk Docs - https://docs.splunk.com/Documentation/Splunk/8.2.6/Security/AboutsecuringyourSplunkconfigurationwithSSL.

Detection logic

tag IN (ssl, tls, certificate) ssl_issuer_common_name=*splunk* 
| stats values(src) AS "Host(s) with Default Cert" count by ssl_issuer ssl_subject_common_name ssl_subject_organization ssl_subject host sourcetype 
| `splunk_identified_ssl_tls_certificates_filter`